e^blishing a secured link with a client machine when an authentication 
re^H^st is received from the client machine, the authentication request 
includiha an identifier identifying a user of the client machine to access the 
electronic dltt^ wherein the electronic data is secured in a format 
including security^ormation and an encrypted data portion, the security 
information including abqess rules and controlling restrictive access to the 
encrypted data portion; 
authenticating the user according tomeidentifier; and 
activating a user key after the user is autnbqticated, wherein the user key is 
used to access the access rules in the secutn^information. 

he method as recited fin Claim 1 further comprising maintaining an access 
(control management, wherein the access control management comprises: 
a rule manager inouding at least one set of rules for the electronic data; and 
an administration rnterface from which the rules for a designated place for the 
electronic data are created, managed, or updated. 

3. (Once amended) The method as recited in Claim 2, wherein the designated 
place is a folder and all files in the folder are subject to the rules. 




5. {Once amended) 
provides a graphic 
or updated. 



The 



4. {Once amended) 
place is a repositofy 



method as recited in Claim 2, wherein the designated 
and all files in the repository are subject to the rules. 



he method as recited in Claim 2. wherein the rule manager 
user interface from which the rules can be created, managed 



] 
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6. (Once amended) The methofl as recited in Claim 5. wherein parameters 

determining the rules from tne graphic user interface are subsequently expressed 
in a markup language. 



7. (Once amended) The method as recited in Claim 6, wherein the parameters 
expressed in the markup language are uploaded to the client machine after the 
user is authenticated. 



8. (Once amencfety) The me 
language is Extensible 



A(;cess 



9. The method as recited in 
a group consisting of 



10. The method as recited ir 
further comprises a usei 



hod as recited in Claim 7, wherein the markup 
Control Markup Language. 



Claim 7, wherein the markup language is selected from 
HTML. XML and SGML. 



Claim 2, wherein the access control management 
manager coupled to a database including a list of 
authorized users and respective access privileges associated with each of the 
authorized users. 



1 1 .The method as recited 
comprises: 

looking up in the da^ 



in Claim 10, wherein the authenticating of the user 



. tabase for the user; and 
getting, from the database, access location information as to where the user 
is authorized tc access the electronic data if information about the user is 
located in the database. 
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12. The method as recited in Claim 11, wherein the identifier further identifiers the 
client machine; and wherein the autnenticating of the user comprises 
determining, from the access location information, whether the client machine is 
permitted by the user to access tne electronic data. 



13. (Once amended) The method ias recited in Claim 11, wherein the access location 
information pertains to locations or specific client machines from which the user 
is authorized to access the electronic data. 

14. The method as recited in Claim 1 , wherein the user key is in the client machine; 
and wherein the activating of the user key comprises: 

sending an authentication message to the client machine; and 
activating the user key with the authentication message. 

15. (Once amended) The/method as recited in Claim 14, wherein the electronic data, 
when secured, includes a header that further includes the security information 
being encrypted and a signature signifying that the electronic data is secured. 

16. (Once amended) J[he method as recited in Claim 15, wherein the security 



information includes a file key in addition to the access rules, and wherein the file 
key can be retrieved to decrypt the encrypted data portion only if access privilege 
of the user is ^ccessfully measured by the access rules. 



17. The method as recited in Claim 1 further comprising associating the activated 
user key vyith the user locally. 
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18. (Once amended) The method recited in Claim 17, wherein the electronic data, 
when secured, includes a head er that includes the security infonnation being 
encrypted and a signature signifying that the electronic data is secured; the 
encrypted security information including the access rules and a file key, and 
wherein the method further comprises: 

receiving the header from the client machine; 

decrypting the security infoimation in the header to retrieve the access rules 



therein; and 
retrieving the file l^ey when 
against access privilege 



the access rules are measured successfully 
of the user. 



19. The method as recited in Clai m 18 further comprising sending the file key to the 
client machine In which the er crypted data portion can be decrypted with the file 
key by a cipher module exectting in the client machine. 



20. (Once amended) A method f< r providing access control management to 
electronic data, the method comprising: 

authenticating a user attempting to access the electronic data; 
maintaining a private key and a public key, both associated with the user, 



wherein the electronic data, when secured, Includes a header and an 
encrypted data portion, the header further includes security information 
controlling who, howl when and where the secured electronic data can be 
accessed and the encrypted data portion is an encrypted version of the 
electronic data according to a predetermined cipher scheme; 



encrypting the security 
data is to be written 



infonnation with the public key when the electronic 
into a store; and 
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decrypting the security infoi 



ation with the private key when the electronic 



data is to be accessed b> an application. 

21 •(Once amended) The method a 5 recited in Claim 20. wherein the authentication 
of the user comprises: 

establishing a link with a cli(^nt machine from which the user is attempting to 

access the electronic data; 
demanding credential infon nation from the user; and 
receiving the credential inft irmation from the client machine over the link. 

22.The method as recited in Claim 21, wherein the credential information includes a 
pair of username and password provided by the user. 



23. The method as recited in Cla 
biometric information capturqd 
client machine. 



m 21 , wherein the credential information includes 
from the user by an apparatus coupled to the 



24. (Once amended) The method as recited in Claim 21. wherein the encrypting of 
the security information with the public key comprises: 

receiving access rules and a file key, wherein the file key has been used to 

produce the encrypte d data portion in the client machine; 
including the access rulds and the file key into the security information; and 



encrypting the security 



fiformation with the public key. 



25. The method as recited in 
generating the header 



QIaim 24 further comprising: 
\|vith the security information encrypted therein; and 
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uploading the header to the client machine where the header is Integrated 
with the encrypted data portion. 

26. The method as recited in Claim 24, wherein the access rules are expressed in a 
markup language. 

27. The method as recited in Clbim 26, wherein the markup language is one of 
Extensible Access Control Markup Language, HTML, XML and SGML. 



28. The method as recited in Claim 21, wherein the decrypting of the security 
information with the private key comprises: 

receiving the header from the client machine over the link; 
parsing the security ii^formation from the header; and 
decrypting the security information with the private key. 



29. The method as recited |n Claim 28 further comprising: 
obtaining access rules from the security information; 
determining whether the access rules accommodate access privilege of the 
user; 

when the determin ng succeeds, 

retrieving a file key from the security information; and 
sending the file key to the client machine over the link, 
when the determining fails, 

sending an error message to the client machine over the link. 
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ZO^pnce amended) The method as recited in Claim 29 wherein the error message 
indicates that the user does not have the access privilege to access the 
electronlis^ata. 

31 . (Once amendedf\rnei\}o6 for providing access control management to 
electronic data, the mett^d comprising: 

receiving a request to abbess the electronic data; 

determining security nature o^he electronic data; 

when the security nature indicate^hat the electronic data is secured, the 
electronic data including a headerWj an encrypted data portion, the 
header including security Information cbqtrolling restrictive access to the 
encrypted data portion and the encrypted d^a portion is an encrypted 
version of the electronic data according to a pre^tenmined cipher 
scheme, 

determining from the security information if the user>i|is necessary 
access privilege to access the encrypted data portiofiSand 

decrypting the encrypted data portion only after the user is d^rmined 
to have the necessary access privilege to access the encrypted 
datSPpoffioTT. 

3^. The method as recited in ( JIaim 31 further comprising retrieving a user key 
associated with a user ma dng the request. 

33. The method as recited in Claim 32 wherein said determining from the security 



information if the user has 
decrypting the security 



necessary access privilege comprises: 
nformation with the user key; 



retrieving access rules from the security information; and 
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measuring the access rules against the access privilege of the user. 

34. The method as recitea in Claim 33 further comprising: 

retrieving a file key from the security infonnation if the measuring of the 
access rules against the access privilege succeeds. 

35. The method as recited in Claim 33 further comprising: 



causing the clien 
measuring of 



machine to display an error message to the user if the 
the access rules against the access privilege fails. 



le method as recited in Claim 32, wherein the retrieving of the user key 
comprfeos: 

establishiR^^ink with a server executing an access control management; 
sending to the ser^fets^n authentication request including an identifier 

identifying the user for fhe^^cess control management to authenticate the 
user; 

forwarding the header to the server; and 
receiving a file key retrieved from the header. 

^7. The method as recited in/ciaim 36 further comprising: 
activating a cipher module; and 

decrypting the encrypted data portion by the cipher module with the received 
file key. 



38. The method as recited in 



Claim 37 further comprising loading the decrypted data 



portion into the application 
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39. The method as recited ip Claim 32, wherein the retrieving of the user key 
comprises: 

establishing a linl< vjrith a server executing an access control management: 
sending to the serv ir an authentication request including an identifier 

identifying the liser for the access control management to authenticate the 

user; 

receiving an authentication message after the user is authenticated; and 



activating the user 



I :ey locally in the client machine. 



40. The method as recited 
before the activating of 



in Claim 39, wherein the user key is in an illegible format 
the user key locally in the client machine. 



41 .A s)(stem for providing access control management to electronic data, the 
methobkcomprising: 

a clientWichine executing a document securing module that operates in a 
path throhqh which the electronic data is caused to pass when selected, 
the documen^ecuring module determining security nature of the 
electronic data, 

an access control server 8b^pled to the client machine over a network, the 
access control server inclubing an account manager managing all users 
who access the electronic data!^d 
wherein the client machine and a usertl^reof are caused by the document 
securing module to be authenticated wiuvJhe access control server when 
the security nature indicates that the electronic data is secured; and 
wherein access rules in the secured electronic data ace retrieved with a user 
with the use r. 
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42>(Dnce amended) The system as recited in Claim 41, wherein the access rules 
are rh^sured against access privilege of the user. 

43. (Once amendeSfV;^ system as recited in Claim 42, wherein the document 
securing module activabsa cipher module to decrypt an encrypted data portion 
in the secured electronic dataS5(ith a file key obtained therefrom after the 
document securing module determh^s that the access privilege of the user is 

pnrmiHnri hy thn nrrPQ;;^ ^Mlf^ 

system as recited in Claim 43, wherein the user key stays 
sdrver that receives part of the secured electronic data; and 
4s and the file key are obtained from the part of the 



44. (Once amended) The 
in the access control 
wherein the access ru 
secured electronic dat 



45. (Once amended) The 
server forwards the file 
network. 



46. (Once amended) The 
in the client machine < 
are authenticated by 



47. (Once amended) A 
electronic data, the m 
a storage device 
electronic data 
security i 



System as recited in Claim 44, wherein the access control 
key to the client machine in a secured form over the 



ystem as recited In Claim 43, wherein the user key stays 
nd is activated when both the client machine and the user 
access control server. 



tie 



syfstem for providing access control management to 

thod comprising: 
including at least an active place designated for keeping the 
secured, the secured electronic data including encrypted 
infomiation that further includes at least a set of access rules and 
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a file key, wherein the access ailes, expressed in a d^criptive language, 
protects the file key and controls restrictive acc^to the secured 
electronic data; 

a client machine coupled to the storage dev(6e and executing a document 
securing module operative to intercef^ the electronic data when the 
electronic data is caused to tranjsport from the active place; 
an access control server couple)/ to the client machine over a network and 
receiving a part of the elearonic data including the encrypted security 
information from the cHent machine, the encrypted security information 
being decrypted w|(n a user key associated with a user attempting to 
access the ele9tronic data after both the user and the client machine are 
authenticated; 

wherein the^et of access rules are measured against access privilege of the 
user in/the access control server, if successful, the file key is returned to 



the client machine to facilitate a recovery of the electronic data in clear 
mode. 



/ 



48 



(OnG^mended) A software product to be executable in a computing device for 
providing^t^ss control management to electronic data, the software product 
comprising: 

program code for eh^lishing a secured link with a client machine when an 
authentication requeshs^ceived therefrom, the authentication request 
including an identifier identiiyihg^ user from the client machine to access 
the electronic data in a secured foml^including security information and 
an encrypted data, the security informatioilSqcluding access rules and 
controlling restrictive access to the encrypted data^ortion; 
program code for authenticating the user according to thelcientifier; and 
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^de fo r activating a user key after the user is authenticated, 
wherein the user Irry h inrrl l i i iii I ' T ' i ' i I h i n nnn Tff m int ? i n thr "rr ii rity 
io fo r fRQtienr 

49. UOnce amended) The software product as recited in Claim 48 further comprising 
Y program code for maintaining an access control management, wherein the 

access control management comprises: 

a rule manager including at least one set of rules for the electronic data; and 
an administration interface from which the rules for a designated place for the 
electronic data are dreated, managed or updated. 

50. (Once amended) The software product as recited in Claim 49, wherein the 
designated place is a folder and all files in the folder are subject to the rules. 



51. (Once amended) The software product as recited in Claim 47, wherein the 
designated place is a repository and all files in the repository are subject to the 
rules. 



52. (Once amended) The software product as recited in Claim 47, wherein the rule 
manager provides a graphic user interface from which the rules can be created, 
managed or updated. 

53. (Once amended) The software product as recited in Claim 52, wherein 
parameters detemiining the rules from the graphic user interface are 
subsequently expressld in a markup language. 
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54. (Once amended) The softwa) ^product as recited in Claim 53, wherein the 
parameters expressed in the i narl<up language are uploaded to the client 
machine after the authenticating of the user succeeds. 



55. (Once amended) The software product as recited in Claim 54, wherein the 
markup language is Extensiple Access Control Markup Language. 

56. The software product as raited in Claim 54, wherein the markup language is 
selected from a group consisting of HTML, XML and SGML. 

57. The software product as ijecited in Claim 49, wherein the access control 
management further comprises a user manager coupled to a database including 
a list of authorized users jand respective access privileges associated with each 
of the authorized users. 

58. The software product as' recited in Claim 57, wherein the program code for 
authenticating the user comprises: 

program code for looking up in the database for the user; and 

program code for ge tting, from the database, access location information as 

to where the user is authorized to access the electronic data If the user is 

located in the database. 



59. The software product as recited in Claim 58, wherein the identifier further 



identifiers the client niachine; and wherein the program code for authenticating 
the user comprises program code for detemiining, from the access location 
information, whetherjthe client machine is permitted by the user to access the 
electronic data. 
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60ytO/7ce amended) The sofpare product as recited in Claim 58, wherein the 
access location informatipn pertains to locations or specific client machines from 
which the user is authorized to access the electronic data. 

61. The software product as recited in Claim 48, wherein the user key is in the client 
machine; and wherein tne program code for activating the user key comprises: 

program code for sending an authentication message to the client machine; 
and / 

program code for activating the user key with the authentication message. 

62. The software produc as recited in Claim 61, wherein the electronic data, when 
secured, includes a header and an encrypted data portion; and wherein the 
header Includes security information that can be accessed with the activated user 
key. 1 



63. 



product aH[ecited in Claim 62, wherein the security infonnation 




includes a 
retrieved to decrypt th 



les and a file key, and wherein the file key can be 

data portion only if access privilege of the user 



is successfully measured by the acce^<ules. 



.The software product as 
associating the activated 



65. The software product as 
secured, includes a 



recited in Claim 48 further comprising program code for 
user key with the user locally. 



recited in Claim 64, wherein the electronic data, when 
heajcler and an encrypted data portion, the header includes 
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security information and a fie key; and wherein the software product further 
comprises: 

program code for recejving the header from the client machine; 
program code for decrypting the header to retrieve access rules in the 
security information; and 



ieving the file key when the access rules are measured 



A/ program code for reti 

successfully agai ist access privilege of the user. 



66. The software product as recited in Claim 65 further comprising sending the file 
key to the client machinp in which the encrypted data portion can be decrypted 
with the file key by a cipher module executing in the client machine. 



/.(On^amencfeof) A software product to be executable in a computing device for 
providir^ccess control management to electronic data, the software product 
comprising: 

program code^r authenticating a user attempting to access the electronic 
data; 

program code for maintcli(;ung a private key and a public key, both associated 
with the user, wherein thd*^lectronic data, when secured, includes a 
header and an encrypted dat^^rtion, the header further includes security 
information controlling restrictive abi^ss to the encrypted data portion and 
protecting the private key and a publicity by access rules therein; 
program code for encrypting the security inforrrh^ion with the public key when 

the electronic data is to be written into a store; ^ 
program code for decrypting the security information wiTMhe private key 
when the electronic data is to be accessed by an application. 
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68. The software product as i ecited in Claim 67, wherein the program code for 
authenticating the user comprises: 

program code for establishing a link with a client machine from which the user 

is attempting to access the electronic data; 
program code for demanding credential information from the user; and 
program code for receiving the credential information from the client machine 
over the secured link. 



69. The software product 
includes a pair of 



as 



recited in Claim 68, wherein the credential information 
usermame and password provided by the user. 



70. The software product 
includes biometric 
the client machine. 



as 



recited in Claim 68, wherein the credential information 
infdrmation captured from the user by an apparatus coupled to 




71. (Once amended) The software product as recited in Claim 68, wherein the 
program code for enci ypting the security information with the public key 
comprises: 

program code for deceiving the access rules and a file key from the client 
machine over t(ie link, wherein the file key has been used to produce the 
encrypted data portion in the client machine; 
program code for ihcluding the access rules and a file key into the security 
information; and 

program code for OTcrypting the security information with the public key. 



72. The software product as recited in Claim 71 further comprising: 
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program code for generating the header with the ^curity information 

encrypted therein; and 
program code for uploading the header to the" client machine where the 

header is integrated with the encrypted^data portion. 

73. The software product as recited in Clain/74, wherein the access rules are 
expressed in a markup language. 

74. The software product as recited irVtlaim 73, wherein the markup language is 
one of Extensible Access Contror Markup Language, HTML, XML and SGML. 

75. The software product as recited in Claim 68, wherein the program code for 
decrypting the security infopiation with the private key comprises: 

program code for receiving the header from the client machine over the link; 
program code for parsing the security information from the header; and 
program code for decrypting the security information with the private key. 



76. The software prodyct as recited in Claim 75 further comprising: 

program code/for obtaining access rules from the security information; 
program co^e for determining whether the access rules accommodate access 

privilege of the user; 
when theydetermining program code is executed successfully, 
program' code for retrieving a file from the security information; and 
progra^ code for sending the file key to the client machine over the link. 
whenAhe detennining program code is executed unsuccessfully, 
program code for sending an error message to the client machine over the 
ink. 
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7/ . The software product as recrfed in Claim 76 wherein the error message indicate 
that the user does not have/the access privilege to access the electronic data. 



78. {Onqe amended) A software product to be executable in a computing device for 
providin^ccess control management to electronic data, the software product 
comprising: 

program code flirreceiving a request to access the electronic data; 
program code for determining security nature of the electronic data; 
when the security natureHndicates that the electronic data is secured, wherein 
the electronic data includihoa header and an encrypted data portion, the 
header including security inforn^tion and the encrypted data portion is an 
encrypted version of the electronic oi^a according to a predetermined 
encryption scheme, 

program code for determining from the sefei^rity information if the user 
has necessary access privilege to access th^encrypted data 
portion; and 

program code for decrypting the encrypted data portion di?^ after the 
access privilege of the user is permitted in view of the secl!i|;ity 
i nformat io n .- 



79. The software product 
retrieving a user key 



IS recited in Claim 78 further comprising program code for 
associated with a user making the request. 



80. The software product as recited in Claim 79 wherein the program code for 
determining from the security information, if the user has necessary access 



privilege, comprises: 
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program code for decrypting the security information with the user key; 
program code foj/retrieving access rules from the security infomnation; and 
program cod^or measuring the access rules against the access privilege of 
the user 



81.The^ 



roduct as recited in 



program code for retrieving 
measuring of the access rul 



)im 80 further comprising: 

om the security information if the 
iS against the acceSS^poi^ilgge succeeds. 



82. The software product as recited in Claim 80 further comprising: 

program code for causing the client machine to display an error message to 
the user if the measuring of the access rules against the access privilege 
fails. 

83. The software product as reci(ed in Claim 80, wherein the program code for 
retrieving the user key comprises: 

program code for estafc^iishing a link with a server executing an access control 
management; 

program code for sending to the server an authentication request including an 
identifier identifying the user for the access control management to 
authenticate the user; 
program code for forwarding the header to the server; and 



program code for receiving a file key retrieved from the header. 



84. The software product as recited In Claim 83 further comprising: 
program code for activating a cipher module; and 



I. 
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program code for decrypting the encrypted data portion by the cipher module 
with the received file key. 

85. The software product as recited in Claim 84 further comprising program code for 
loading the decrypted data portion into the application. 

86. The software producVas recited in Claim 79, wherein the program code for 
retrieving the user key comprises: 

program code for establishing a link with a server executing an access control 
management 

program code for sending to the server an authentication request including an 
identifier identifying the user for the access control management to 
authenticate the user; 

program code/for receiving an authentication message after the user is 
authenticated; and 

program codei for activating the user key locally in the client machine. 

87. The software product as recited in Claim 86, wherein the user key is in an 



illegible format 



lefore the activating of the user key locally in the client machine. 



88. The software pioduct as recited in Claim 86, wherein the computing device is a 
media player hiiving a network capacity, the media player generating audio 
and/or video from the electronic data when the software product is executed in 
the media player. 
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